Biggest shake up to data privacy laws in 20 years – Are we ready for GDPR?

The General Data Protection Regulation comes into force on 25 May this year and is the biggest shake up to European data privacy laws in 20 years. New Zealand businesses must consider whether the Regulation impacts on the way it processes personal information and should use this opportunity to undertake a risk assessment of its data protection framework more generally.

The aim of the Regulation is to harmonise data protection laws in the European Union, and address fundamental challenges faced by data protection laws as a result of the dramatically different technological environment we are now operating in.

Data knows no boundaries

One fundamental challenge for individuals (and their personal data) is that their data no longer respects national boundaries. It is for this reason that one of the most significant changes to the data protection framework is to extend the Regulation’s reach to businesses based outside the Union.

Therefore, from 25 May this year, a business anywhere in the world will be subject to the Regulation where:

it processes or controls personal data of individuals residing in the Union; and

the processing activities are related to offering goods and services to, or monitoring the behaviour of, individuals in the Union. This is regardless of whether the business receives payments for such goods or services.

Impact of the Regulation on New Zealand business

The majority of New Zealand-based small to medium sized businesses are not likely to fall within the scope of the Regulation. However, it will apply to New Zealand businesses that operate on a more global scale and/or actively market their goods or services to individuals based in the Union. While geographically New Zealand is a long way from the Union (and may not process and control personal data on the scale of other territories) this does not mean that a supervisory authority will not take action and hold businesses to the Regulation’s standards.

Offering goods and services

New Zealand businesses who operate in the EU market and process or control personal data will need to understand whether they will be offering, or have the potential to offer, goods and services to individuals in the Union.

Strong indicators that a business might be caught by the Regulation include whether the business operates a website using a member state top level domain name (e.g. www.example.co.de for Germany), the business is using the language of a member state or the currency of a member state that is not used in the business’s home state, or where it targets advertising at individuals in a member state (either directly or by mentioning customers who are based in the Union).

Monitoring

What constitutes ‘monitoring’ is slightly less clear, but we expect it to mean more intrusive activities (such as tracking individuals across multiple websites, or using apps to track location).

Ready and compliant?

The Union’s supervisory authorities will expect all businesses to be GDPR ready and compliant by 25 May. It will be crucial for New Zealand businesses to undertake an assessment of their business activities that may touch on the personal data of individuals residing in the Union.

New Zealand businesses should use this as an opportunity to undertake a review of their privacy framework to ensure their practices are up to standard, not only with the Regulation, but also fit for local purpose.

Three key factors for compliance

If the Regulation applies to your business, there are three key areas that you will need to get to grips with.

1. Appoint a data protection officer

If the core activities of your business consist of processing personal data on a large scale or require regular and systematic monitoring of individuals in the Union, you will need to appoint a data protection officer who should be based in the Union.

This representative will perform a similar role to that of a Privacy Officer under New Zealand’s Privacy Act, with the key responsibilities of liaising with the relevant supervisory authorities and monitoring your business’ compliance with the Regulation. The Regulation also provides for safeguards to protect the independence of the data protection officer, including that the data protection officer cannot be dismissed or penalised for performing their tasks as the officer.

If your business needs to appoint a data protection officer, it should immediately start considering whether there is someone within the business who is well placed to take on these duties. If not, you may need to go to market to look for an appropriate individual who is prepared to take this role on.

2. Comply and demonstrate compliance

Your business will need to comply and demonstrate compliance with the Regulation. Given the increase in sanctions under the Regulation (set out below), the risk of non-compliance is far greater than before and we do not consider that any supervisory authority will take non-compliance lightly (regardless of the size or location of the business).

In particular, your business will need to:

comply with the Regulation’s six general data protection principles (which are largely similar to New Zealand’s information privacy principles set out in the Privacy Act);

be aware that the threshold for obtaining consent to process personal data is much higher than in New Zealand. Consent requires a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the individual’s authorisation. We note that silence, pre-tricked boxes, or inactivity is not enough to constitute consent or deemed consent under the Regulation;

ensure that your internal systems and processes are updated to enable:

the erasure of personal data on request of the individual (otherwise known as “the right to be forgotten”); and

the right to data portability, meaning that on request an individual is entitled to receive a copy of all personal data held about them in a structured, commonly used and machine-readable format;

update EU facing privacy notices to ensure they comply with the Regulation (or adopting a separate privacy policy for individuals in the Union); and

demonstrate compliance with the Regulation by updating or creating policies and procedures on how your business processes personal data and keeping adequate records of such processing activities.

3. Understand breach reporting

Your business will need to be aware of the requirement to report all data breaches that may pose a risk to the rights and freedoms of an individual to the supervisory authority within 72 hours of the breach (where feasible). Further, you may need to notify affected individuals if there is a high risk to their rights and freedoms.

An internal procedure to deal with and manage data breaches should be developed. This will enable your business to react swiftly and appropriately to any breach.

Anti-trust style sanctions regime

The Regulation has a much greater focus on compliance and, in line with its aim to make data protection a boardroom issue, it introduces an anti-trust type sanctions regime with fines of up to the greater of EUR20 million or 4% of annual worldwide turnover.

This gives the supervisory authorities significantly more teeth than we have seen before both in New Zealand and in the Union.

Action points for New Zealand businesses

Although it’s not yet clear how the Union’s enforcement agencies would bring proceedings against a New Zealand based company with no physical or legal presence in the Union, the potential reputational damage for non-compliance could be just as damaging to a business’s profile.

We recommend that any New Zealand business that is subject to the jurisdiction of the Regulation:

review current levels of compliance;

take immediate action to bring compliance up to the level required under the Regulation; and

consider overall attitude to risk and whether to implement a risk management framework.

We also note that data processors now have specific obligations under the Regulation in relation to their processing activities. This means that it will no longer be appropriate in all cases for data processors to push all responsibility and liability for the protection of personal data onto the data controller through the relevant contractual arrangements. Therefore, if your business is subject to the Regulation or you are seeking to engage a third party data processor that is based in the Union, you should keep in mind that the relevant contractual provisions around the use, security and liability of personal data should align with the principles set out in the Regulation.

Additional author

Suzy McMillan, Senior Solicitor

Suzy has extensive experience advising clients on all commercial and technology legal matters including privacy and data protection, consumer law, supply and services agreements and customer facing terms and conditions.